Use the Work Plan in an investigation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2025-02-18
Category
Administrator Guide
Solution
Cloud
Abstract

A Work Plan is a visual representation of the running playbook that is assigned to an incident. Use it to monitor and manage a Playbook workflow.

The Work Plan is a visual representation of the running playbook assigned to the incident. Playbooks enable you to automate many security processes, such as managing your investigations and handling tickets. Work Plans enable you to monitor and manage a playbook workflow, and add new tasks to tailor the playbook to a specific investigation.

In an investigation, when you open the Work Plan tab you can see the playbook, the playbook name, and navigation tools.

By default, the Follow checkbox is checked, which allows you to see the playbook executing in real-time. The playbook moves when a task is completed.

In the Work Plan you can do the following:

Action

Description

Change the default playbook

On the left-hand side of the window, select the playbook you want to run.

When changing the playbook, all completed tasks are removed and the new playbook will run. If you select playbooks several times you can view the history of which playbooks ran.

Rerun the playbook

When changing the playbook, select the current playbook to run again.

View inputs and outputs

View the inputs and outputs of each task that has run. You can't view inputs and outputs of any task that hasn't run.

Manage tasks

View, create, and edit a playbook task. For each task, you can do the following:

  • Designate tasks as complete either manually or by running a script.

  • Assign an owner

  • Set a due date

  • Add comments and completed notes, as required.

You can manage these tasks in the CLI by using the /task command. For more information about tasks, see Incident Tasks.Incident Tasks

Export to a PNG

Export the Work plan to a PNG format for easy analysis.

The color coding and symbols in the Work Plan help you to easily troubleshoot errors or respond to manual steps. The following table displays the playbook tasks and icons in the Work Plan.

Task

Description

standard_task.png

arrow.png Standard manual task

An arrow with a light blue square background indicates a standard manual task. These tasks can ether be manual (no lightning bolt logo) or automated (with lightning bolt logo).

  • Manual Standard task (no lightning bolt logo):

    These tasks are used where usually it's not possible to automate them. You can add comments, assign them to an owner, and set a due date. The analyst who is responsible for the investigation needs to complete the task before the Work Plan can continue.

  • Automated Standard task (with lightning bolt logo):

    A single command or script that is set to automatically run when the Work Plan reaches this step. Some scripts need arguments in order to run - make sure to set them up properly. If left empty, the analyst who is responsible for the investigation will need to complete them so the script will run and the Work Plancan continue.

condition_task.png

conditional_icon.png Conditional task

A diamond icon in a purple square background indicates a conditional task, which is either an automated conditional task (with the lightning bolt logo) or a manual conditional task. These tasks are used as decision trees in your Work Plan.

data_collection_task.png

data_collection_icon.png Data collection task / Communication task

The speech bubble in a turquoise background  indicates a data collection task. This task prompts the receivers to respond to a multi-question form and submit replies, even if they are not Cortex users.

sub-playbook_task.png

sub-playbook_icon.png Sub-playbook task

The workflow icon in a blue background indicates that the task is a playbook nested within the parent playbook. You can view that playbook by opening the task and selecting Open sub-playbook.

update_scripts.png

update_icon.png Task containing a deprecated script or needs to be updated

Scripts that have updates or are deprecated are designated by a yellow triangle. You need to update the scripts and integration commands in playbook tasks to their most current version.

skip.png

skip_icon.png Set to skip

When a task is set to skip, the skip icon will be orange.

breakpoint.png

breakpoint_icon.png Breakpoint

When the playbook reaches a breakpoint, the task has an orange line at the top to indicate the breakpoint.

overriden.png

overidden_icon.png Overridden inputs or outputs

When a task is set to have overridden inputs or outputs, the word Input or Output appears in orange.

pending.png

pending_icon.png Pending/in queue task

When the Work Plan starts to run, all tasks that are about to be performed are gray.

running.png

running_icon.png Running/ in progress task

A spinning circle inside the gray square indicates a running/in progress  task.

completed.png

completed_icon.png Completed task

The green square indicates a completed task.

waiting.png

waiting_icon.png Waiting task

The orange square indicates that the playbook is pending action.

If you hover on the icon on the top left corner, details about the specific reason this task is in waiting mode appears.

If the orange square is paired with the user icon ( user_icon.png), the task requires you to open it and manually mark it as complete.

If the orange square is paired with a speech bubble icon (bubble_icon.png), the task is waiting for a questionnaire to be completed.

failed.png

failed_icon.png Failed task

The red warning icon indicates that the automation failed to complete as expected and requires manual inspection and troubleshooting. Contact your Cortex XSOAR administrator.

If you hover on the icon on the top left corner details about the specific problem appears.

If red warning icon is paired with the clock icon (hourglass_icon.png), the task’s SLA is overdue.

skipped.png

skipped_icon.png Skipped task

The task will look faded to indicate it was not executed. This can happen if this task was set to be skipped when an error occurs, or if it is in a branch that was not executed if a condition wasn’t met.